The ransomware was installed on its systems on January 25, 2017, with the issue remediated 8 days later on February 2, 2017. Third-party security experts were called in to assist with the forensic investigation of the breach and conducted a security scan of its systems to ensure all traces of malware had been removed.

The incident report has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is currently unclear exactly how many individuals have been impacted.

Ransomware Attacks and HIPAA Rules

Ransomware attacks are not always reportable under HIPAA Rules. If an organization can demonstrate there was a low probability of PHI being acquired, accessed, used or disclosed (see OCR ransomware clarification), a breach report is not required and affected individuals would not need to be notified. That said, ransomware attacks are covered under the definition of security incidents in the HIPAA Security Rule (45 C.F.R. 164.304).

Further, the Department of Health and Human Services confirms in its guidance that “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a [HIPAA] breach has occurred because the ePHI encrypted by the ransomware was acquired, and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.”

A ransomware attack that involves ePHI being encrypted therefore requires the organization to follow security incident procedures, including procedures for reporting those incidents.

In this case, Walnut Place took the decision to send breach notification letters to those affected due to the sensitive nature of the data that was compromised in the attack. Walnut Place is also offering affected individuals 12 months of credit monitoring services free of charge.

However, the breach notices appear to have been delayed. Under HIPAA Rules, organizations have up to 60 days following the discovery of the breach to issue notifications. The press release issued by Walnut Place on May 12, 2017 states that the ransomware attack was only discovered by its ‘leadership’ on March 13, 2017.

The press release, and notifications, were therefore issued within 60 days of leadership discovering the breach, but more than 3 months after the breach was actually discovered and remediated.

That suggests the ransomware attack was identified and dealt with without the knowledge of the organization’s leadership and/or there was an impermissible delay in issuing notifications and a potential violation of the HIPAA Breach Notification Rule.

The incident highlights the importance of ensuring that policies and procedures are implemented requiring all potential PHI incidents to be reported internally to the organization’s leadership. Policies and procedures should also be in place to ensure OCR, affected individuals and state officials receive timely notifications of security incidents. The failure to report incidents in a timely manner can attract a financial penalty.

OCR has already settled with a covered entity solely for delayed breach notifications. A settlement of $475,000 was reached with Presense Health of Illinois for delaying the issuing of breach notifications by 34 days, more than a month outside the maximum time frame allowable under the HIPAA Breach Notification Rule.

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

HIPAA

Compliance

Guide

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.